Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Flash Vulnerabilities Affect Thousands of Sites

kdawson posted more than 6 years ago | from the waves-of-shock dept.

Security 214

An anonymous reader sends us to The Register for this security news. The problem is compounded by the fact that some of the most popular Web development tools for generating SWF produce files containing the recently disclosed vulnerabilities. "Researchers from Google have documented serious vulnerabilities in Adobe Flash content which leave thousands of websites susceptible to attacks that steal the personal details of visitors. A web search reveals more than 500,000 vulnerable applets on major corporate, government and media sites. Removing the vulnerable content will require combing through website directories for SWF files and then testing them one by one. Updates in the Adobe software that renders SWF files in browsers are also likely, but they probably wouldn't quell the threat completely... No patch in sight from Adobe, that's the price to pay for depending on proprietary solutions."

Sorry! There are no comments related to the filter you selected.

Preference (0, Flamebait)

SniperClops (776236) | more than 6 years ago | (#21795728)

I've never been a fan of flash, I prefer HTML, CSS and PHP.

Re:Preference (1, Funny)

Anonymous Coward | more than 6 years ago | (#21795750)

And why do we give a fuck?

As if you have the same flexibility with HTML, CSS and PHP. Oh, wait. That doesn't matter, as long as you jump on the anti-Flash bandwaggon, logic doesn't need to be present.

Suck my flashy dick.

Posting as AC 'cause the mods can't handle the truth.

Re:Preference (1)

palegray.net (1195047) | more than 6 years ago | (#21795798)

The parent post actually stated what I really wanted to say, instead of my polite reply post below. Someone please mod it up, if only as funny :).

Re:Preference (5, Insightful)

palegray.net (1195047) | more than 6 years ago | (#21795766)

Flash done right can be extremely useful, as a tool for adding a dynamic interface to a site. Unfortunately, Flash is (in my opinion) usually done horribly wrong, and implemented in a manner that doesn't give site visitors any alternate means of using the site. I've seen good implementations where Flash was used only for a particular application, and the rest of the site was done in standard-compliant HTML/CSS. I've also seen really scary work on countless occasions where the entire site was one big Flash presentation. Ugly stuff.

Re:Preference (5, Insightful)

JackMeyhoff (1070484) | more than 6 years ago | (#21796420)

Most flash is done WRONG unfortunately, and most sites either open in a new limited controllable window and / or have a screen area the size of a postage stamp. Flash sucks for many reasons, and this is 2 of them.

Re:Preference (1)

klecu (1144347) | more than 6 years ago | (#21796442)

I believe that a lot of the animation and interaction functions of Flash could be done in SVG or its ISO-approved, 3d cousin X3D. Obviously, video can't be done in one of those, but there are probably hundreds of video codecs to use that would work better.

Re:Preference (1)

weicco (645927) | more than 6 years ago | (#21796756)

I've also seen really scary work on countless occasions where the entire site was one big Flash presentation. Ugly stuff.

Offtopic: I've scarier work where entire site was one big BMP image with huge image map slammed on top of it.

Re:Preference (1)

Lennie (16154) | more than 6 years ago | (#21796782)

CSS and Javascript done right could be extremely usefull, ... etc.

Re:Preference (1)

Skapare (16644) | more than 6 years ago | (#21795824)

What file format do you use for videos?

Re:Preference (5, Insightful)

Anonymous Coward | more than 6 years ago | (#21795976)

Depends on what you are trying to achieve, but I would never go with Flash. The only benefit of Flash is that it will keep the majority of users from "stealing" your content by downloading it and saving it to a file. And you also get to code up your own crappy player in it too. If you want it playable on the largest number of devices(what people normally claim is the benefit of Flash), then go with MPEG-1 which will work more places than Flash.

Re:Preference (1)

Lknight (125949) | more than 6 years ago | (#21796068)

Anyone who thinks having videos as flvs will keep the majority of people from "stealing" content clearly hasn't done a search for "save flv" on google. It's a pity no-one out there coded up an open source flash player [flowplayer.org] though. It would save lots of time and trouble.

Re:Preference (4, Interesting)

piojo (995934) | more than 6 years ago | (#21796134)

Anyone who thinks having videos as flvs will keep the majority of people from "stealing" content clearly hasn't done a search for "save flv" on google.
I'm certain that 90% of youtube users don't even know what a .flv is, let alone that they can be saved. Saving them even gives me trouble, and I've written screen scrapers and a (dysfunctional) web spider. Then again, I don't use flash sites enough to know what the proper ripping tools are, and I use Linux, so the proper tools may not exist for me.

Re:Preference (1)

stonedcat (80201) | more than 6 years ago | (#21796210)

If you're just talking about youtube: http://www.arrakis.es/~rggi3/youtube-dl/ [arrakis.es]

This has been packaged for several distros and is widely known. There are even several GUIs for it, however CLI is quite simple enough if you throw the script in /usr/bin.

Re:Preference (1)

compro01 (777531) | more than 6 years ago | (#21796228)

the DownloadHelper addon [mozilla.org] for firefox tends to work fairly well for me, though it gives you a list of the videos in each tab, and being as the names are usually just effectively random alphanumeric strings, it's hard to tell which videos you've downloaded and which you still need to get if you're wanting to grab a bunch of videos at a time.

the online converter at vixy.net also works, though it tends to get flaky at times (cutting off your download in the middle or throwing "invalid video ID" when the url is perfectly fine.) and is slow at best.

Re:Preference (1)

Rob Simpson (533360) | more than 6 years ago | (#21796438)

Most seem to be easy to save... just open up your cache directory, find and copy the file (usually the most recent large file) rename to .avi or whatever, and play. Works fine for me, except for a few of the largest files that don't seem to be cached in the normal way.

Re:Preference (2, Interesting)

Domstersch (737775) | more than 6 years ago | (#21796550)

Forget "power" ripping tools; they all seem to just come down to a regex through the source, pre-set for a given handful of sites. So, they break as soon as a site updates their page layout, and just plain don't work on other, more obscure, sites.

The best way I've found is to just open up Firebug to the 'Net' tab (looks like this [getfirebug.com] ), and look for the biggest request listed. This works because the browser has to make the request for the video at some point, even if that request is obfuscated in the source, occurs in Javascript, doesn't end in .flv, and so on. From there, it's just a right-click, and "Copy Location".

Re:Preference (0)

Anonymous Coward | more than 6 years ago | (#21796728)

I use Linux, so the proper tools may not exist for me.
The proper tool is a file browser pointing to the /tmp folder. That's where the Flash plugin stores all .flv videos. The file will be there until you leave the page that embeds the player applet. Just wait for the video to be cached completely, then take a copy before leaving the page. No special tools required.

Re:Preference (1)

kestasjk (933987) | more than 6 years ago | (#21796838)

ffmpeg does the trick, converting flv to avi (or whatever you like) with no problems. You can also get the ActionScript out of a .swf with no problems. It doesn't really protect your IP, but then again nothing does.

Re:Preference (1)

fean (212516) | more than 6 years ago | (#21796370)

Actually MPEG-1 is not supported natively by IE or Firefox.

Re:Preference (4, Funny)

Anonymous Coward | more than 6 years ago | (#21796916)

Keep your voice down...

You must be new here... this debate isn't about whether or not the suggested alternatives to Flash are supported or practicable.

It's more to do with people having look at reality and coming to the conclusion that they just don't like or believe certain aspects of it.

Call it a selective disregard for the facts or utter stupidity if you will, but its kinda groovy...

I think that the audio and video functionality of Flash/Flex can and will be replaced by chaz haskins' svg wondershow plugin.

See it's easy! get into it.

stealing flv is extremely easy (0)

Anonymous Coward | more than 6 years ago | (#21796444)

I don't know about windows, but on linux, whenever the flash plugin starts streaming a .flv file it is available as /tmp/FlashXXXXXX where the xs are some random letters. Just wait for the file to load completely, mv /tmp/Flash* ., profit. (no ??? involved).

Re:Preference (0)

Anonymous Coward | more than 6 years ago | (#21796304)

To specify: What file format do you use for streaming web video? There is no other format that will stream inside a browser without problems on most platforms. I wish we could dump Flash today, but MP4/FLV streaming is the one feature that makes it irreplaceable for now.

Re:Preference (5, Insightful)

Anomolous Cowturd (190524) | more than 6 years ago | (#21796268)

Not a fan of flash either, but the one application it is actually good for is the youtube-style video embedding. I prefer flash to the satan-spawned abominations quicktime & windows media player, as the platform support is better, among other things.

Re:Preference (1)

gordguide (307383) | more than 6 years ago | (#21796534)

I don't really see the value of "Youtube-style video embedding." What's it good for?

Flash Video files are the easiest to pull from a website; I've yet to find an embedded Flash Video file I could not save to disk. I can't say that for QuickTime; a few have eluded me. As for Windows Media, they are by far the most difficult to save to disk; I can't say I've been 100% successful on those.

Got some Flash content you think is safe? Post the url; I'll email the whole thing to you as a self-contained movie file. Guaranteed.

Give me five minutes; Flash is slower to stream than QT or WMV.

Re:Preference (1)

heinousjay (683506) | more than 6 years ago | (#21796648)

The value is that it lets you easily embed a video in a page in a way that'll work on 99% of computers.

Re:Preference (1)

KDR_11k (778916) | more than 6 years ago | (#21796764)

I don't think preventing downloads was his goal, just getting it to work.

Proprietary, huh? (5, Informative)

palegray.net (1195047) | more than 6 years ago | (#21795734)

Quoth the headline: "that's the price to pay for depending on proprietary solutions..."

There are open source implementations of the Flash protocol; I'm running Gnash [gnashdev.org] as my SWF player on Ubuntu 64, and it works just fine. Your mileage may vary.

Re:Proprietary, huh? (3, Informative)

palegray.net (1195047) | more than 6 years ago | (#21795744)

Oh, and by the way, those who wish to create Flash content may want to have a look at this site [mtasc.org] .

Re:Proprietary, huh? (2, Informative)

Anonymous Coward | more than 6 years ago | (#21795996)

actually you would want to look at haXe [haxe.org] mtasc was AS2.

Re:Proprietary, huh? (1)

Doc Ruby (173196) | more than 6 years ago | (#21795990)

How many times since you've installed it (when was that?) has a Flash applet failed to work at all, or been obviously buggy?

Re:Proprietary, huh? (4, Insightful)

Jack9 (11421) | more than 6 years ago | (#21796030)

Even open source implementations are vulnerable to XSS.

Attack scenarios work something like this: A bank website hosts marketing graphics in the form of a vulnerable Flash applet. Attackers who trick a customer into clicking on a malicious link are able to execute the SWF file but inject malicious code variables that cause the customer's authentication cookies or login credentials to be sent to the attacker.

In summary, "Phishing can work against Flash apps." Specifically, the article says someone at Google documented something about XSS working against Flash apps...being really light on the details. This could apply to Google's stock market Flex charting, for example. Adobe hasn't done anything about it and didnt respond to EMAIL inquiries about it.
My question is who asked The Register, to troll against Adobe? AND how did it get posted on /. /Lemme know if I missed something.

Re:Proprietary, huh? (2, Insightful)

foreverdisillusioned (763799) | more than 6 years ago | (#21796568)

Even open source implementations are vulnerable to XSS.

Firefox + NoScript FTW. Filters XSS even from sites you've otherwise whitelisted (which does *very* rarely cause a problem, but you can manually override if necessary.)

Flash danger (4, Informative)

SoopahMan (706062) | more than 6 years ago | (#21796990)

One major issue with Flash is its ability to insert scripts into the actual page.

Say I want to read your email. I send you an email with a Flash animation in it. You read it and your webmail verifies there's no dangerous scripts in my email - but it's much harder to verify my Flash I sent you is safe. Which I'm counting on because I've put code in that creates a script tag in the webpage, downloads my dangerous script, and sends me your cookies. Now I can read your email.

Flash has been getting a free pass on security for a long time. Time for things to tighten up on the web viewer more widely installed than Internet Explorer.

Gnash is weak. (1)

seeker_1us (1203072) | more than 6 years ago | (#21796112)

It doesn't work many times, and it destabilizes the browser, often times causing it to crash on pages that don't even have flash on them.

Re:Gnash is weak. (1)

palegray.net (1195047) | more than 6 years ago | (#21796146)

I'd like to see specific, documented evidence of Gnash causing Firefox to crash on a page that doesn't contain Flash content. You can provide that, right?

Re:Proprietary, huh? (2, Informative)

bcrowell (177657) | more than 6 years ago | (#21796212)

There are open source implementations of the Flash protocol; I'm running Gnash as my SWF player on Ubuntu 64, and it works just fine. Your mileage may vary.
I tried Gnash, and it didn't work on the flash pages I tried it on. Although there are open-source development tools for flash, such as mtasc and haxe, there are a lot of obstacles, both legal and technological, that anyone will encounter if they try to do OSS development on the flash platform. If you want to generate AS3, the only OSS compiler is haxe, which doesn't implement the standard AS3 language. The Version 2 Components (flash's standard gui widget set) are under a license that prevents you from using them unless you own the Flash IDE. There are also patent issues with codecs; I believe Adobe is implementing some new audio and video codecs in the new versions of flash whose licensing is somewhat less problematic than the ones that used to be available, but you still can't use ogg or theora. Realistically, if you want to learn to develop flash using an OSS toolchain, you have a long, hard road ahead of you. You can't just buy a book on Flash and do what it says, because there are way too many bits and pieces that you can't reproduce without using the Adobe development tools.

Re:Proprietary, huh? (4, Insightful)

Deanalator (806515) | more than 6 years ago | (#21796352)

The problem isn't that adobe has a poor implementation of the flash protocol. If that was the case, they could just patch the issues (like in the past). These issues stem from the protocol itself, and that it is very liberal on how it defines access control. This is not something that can be fixed by open source. Even if gnash did have a top notch security team (which I doubt, since it sounds to me like they are still having trouble getting swf to parse safely), they would need to redefine much of the protocol, add proper mandatory access controls. Doing this in a way that would not break existing flash applets would be a huge pain in the ass. Not to mention having to go back and change everything again once adobe releases a new version.

Re:Proprietary, huh? (2, Insightful)

imr (106517) | more than 6 years ago | (#21796678)

There is one nice Free Software alternative to Flash as a streaming video embedded applet, it's cortado [flumotion.net] .

The problem is that it lacks a little more work to be always stable and some more to get other codecs like speex incorporated. But the developper is gone and nothing has been developped since 2006. So it could be a nice project to pick up for someone with knowledge in Java, who want to do some usefull work for the Free Software users instead of only relying on Free alternative to the Flash player wich won't solve the main problem, the format. Right now, it's even worse, all linux distros rely on flash for their video solution, which is a pity.

Close to the point, with the way Java is designed, you don't have this kind security issue, since you cant embed the player and stream videos from another domain.

Re:Proprietary, huh? (2, Insightful)

mha (1305) | more than 6 years ago | (#21797022)

Why is this article that doesn't explain ANYTHING, gives no references, and shows no hint of KNOWLWEDGE on the part of the author, but only lists stereotypes, labeled "insightful"? I'm missing any insights!

The guy even calls Flash a "protocol"! This is the OPPOSITE of insight!!!

Re:Proprietary, huh? (2, Insightful)

Lennie (16154) | more than 6 years ago | (#21796742)

I think there are definitly other reasons why an open source mentality is important.

Who thinks anyone will be working on this grave security issue during the holidays ?

If it was an open source project, I think it would be more likely a (or few) developer(s)
would be.

I could be wrong ofcourse.

What do you think ?

I'm no fan of proprietary solutions, but... (1, Insightful)

capnkr (1153623) | more than 6 years ago | (#21795738)

...how does the fact that Flash is proprietary affect it's vulnerability? As in "that's the price you pay..."???

I don't get that part.

But I am crossing my fingers that this will help move designers away from using it. :)

Re:I'm no fan of proprietary solutions, but... (0)

Anonymous Coward | more than 6 years ago | (#21795812)

That was flamebait. Nothing more.

Re:I'm no fan of proprietary solutions, but... (4, Insightful)

Anonymous Coward | more than 6 years ago | (#21795818)

If it were open the source code could be audited and perhaps this vulnerability (or others) would have already been identified and corrected. With proprietary solutions you just don't get that option.

Re:I'm no fan of proprietary solutions, but... (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#21795854)

How does the extra apostrophe you put in the possessive "its" help your sentence? I don't get that part. I am crossing my fingers and hoping you master this simple rule of english.

The price comes in.. (4, Interesting)

Junta (36770) | more than 6 years ago | (#21795870)

With respect to the "No patch in sight from Adobe" part, of course. If such a flaw was discovered by security researchers in firefox, they could do better than merely report the problem, it is within their power to correct the code and issue a third party patch/update if mainstream won't act. The vulnerability may not intrinsically be due to the proprietary nature (though external code audits might arguably occur to help, but I wouldn't guarantee it), but solving those problems cannot be done in a proprietary system except by the vendor.

The community might ignore such a patch, and it might not even happen that often, but if things were generally dire enough in a projects mainstream, a new leadership could fork the project and that is not unheard of in projects. Of course, it's common for distributions to apply security updates to their packages before upstream merges them, so it isn't *that* strange.

Not related to security, but the current version of the flash plugin, for example, breaks compatibility with linux opera and konqueror due to Xembed, and packagers hands are kind of tied in terms of what to do about it. Of course, can also point out the ATI drivers, which suffer greatly from problems and are dealt with in a way that doesn't work.

Re:The price comes in.. (3, Interesting)

Blakey Rat (99501) | more than 6 years ago | (#21796330)

Say for example there was an open-source solution to do Flash-like animation and multimedia on websites (there isn't.) Let's call it Gnash.

Now let's say that Gnash works approximately like Flash does; do you your design in a 'source' file called a .gla which you then compile into a 'runtime' file called a .gwf. And version 5.0 of Gnash is buggy in such a way that .gwf files have a security vulnerability, based off legitimate Gnash features (so that the Gnash runtime can't just blanket disable the feature that causes the vulnerability). The only way to fix this problem is to individually inspect every .gwf file to see if they use the functions in question.

Furthermore, let's say for argument's sake that Gnash is hugely popular and millions of these .gwf files exist on the web, some on sites that no longer have access to the original .gla files.

How would the fictional Gnash open-source solution be any different or better than the proprietary Flash solution? Show your work.

All of this, of course, is assuming that there is an open source package that does what Flash does, and there isn't. So if you really think open source is really all that superior, why don't you make open source versions of things that people obviously want? Like Flash, for instance. Instead of just complaining that the proprietary solutions suck.

Funnily enough.. (2, Insightful)

Junta (36770) | more than 6 years ago | (#21796482)

gnash [gnu.org] does exist, it's a flash clone. So yes, an open-source 'solution' exists, that sn't mature. I can't tell whether you were being satirical in saying it doesn't exist, but just in case..

As to the question at hand, I don't know enough detail about the vulnerability myself, however note:

Stamos said Adobe is likely to update its Flash Player so it does a better job of vetting code variables before executing SWF files. But he said interaction with third-party code is such a core part of the way Flash works that updates to the player would likely provide only a partial fix.
So while I do not understand the technical details, those that do understand believe some sort of player-side sanity checks would be good to mitigate the consequences. In the open-source world, they would be able to construct a proof-of-concept publicly of a 'hardened' flash plugin that may avoid glaring mistakes. He does concede that while a player-side change could mitigate the exposure, the servers must recompile their end to be complete. Could they do it with Gnash? Maybe, if Gnash was even complete enough to even support the features that can be exploited here, which I don't know.

Re:I'm no fan of proprietary solutions, but... (0)

dwater (72834) | more than 6 years ago | (#21795876)

I'm thinking they said that because we now have to rely on a single company to fix it - though that isn't true either since, as I read it, a lot of authoring tools need fixing, not just Adobe's.

I wonder if that open source authoring tool and player also contain the problem. If so, it'd be interesting to see how quickly they're fixed.

A lot of the vulnerable Flash is THIRD PARTY (0)

Anonymous Coward | more than 6 years ago | (#21795746)

Many of the Flash problems they found were in .swf files produced by third parties, and not the flagship Flash program.

Re:A lot of the vulnerable Flash is THIRD PARTY (1, Informative)

stox (131684) | more than 6 years ago | (#21795820)

The vulnerability is in the proprietary flash player. It is easily exploited using files produced by third party tools.

Re:A lot of the vulnerable Flash is THIRD PARTY (1)

BungaDunga (801391) | more than 6 years ago | (#21796034)

Swish (a sort of dumbed down version of the real flash dev program) used to be able to get flash to execute Javascript by pointing links to "javascript:". Not terribly exploitable, but not exactly expected behavior. The newer versions of the flash player stopped it though.

Re:A lot of the vulnerable Flash is THIRD PARTY (3, Interesting)

FLEB (312391) | more than 6 years ago | (#21796144)

Unless the Reg article is being misleading, it doesn't look like much more than "XSS is possible in Flash apps". If that's the case, it's less a case of a "vulnerability" as Flash giving developers a hammer, and the devs bashing in their own fingers with it. As in JavaScript, as in PHP, as in CGI, as in any language that accepts input from outside-- never trust the input!

Or am I missing something?

Block Flash wherever possible (4, Informative)

cbhacking (979169) | more than 6 years ago | (#21795752)

It burns a lot of CPU time, uses a lot of bandwidth, crashes browsers, and - not for the first time - has serious security issues.

On Firefox, there's an extension called Flashblock [mozilla.org] . It blocks Flash by default, but allows you to re-enable it on a page-wide or applet-by-applet basis. Several other extensions will do the same thing.

In IE7, you can double-click a spot in the status bar (third box, right to left, of the boxes just to the left of the security zone indicator (the thing that usually says Internet)) or open the Add-on Manager from Tools in the command bar or menu bar, and disable or enable the Flash ActiveX control. This will globally enable or disable flash, but doesn't take effect on a given page until that page is refreshed. Alternatively, the third-party add-on IE7Pro has applet-by-applet flash blocking.

I realize that some sites need it, and on those there's nothing you can do about this problem except hope Adobe updates their software ASAP. For everywhere else though, do yourself a favor and block it.

Re:Block Flash wherever possible (2, Informative)

whitehatlurker (867714) | more than 6 years ago | (#21795778)

Opera - F12, deselect "Enable plugins"

whitelist sites via right-click, edit site preferences

Re:Block Flash wherever possible (0)

Anonymous Coward | more than 6 years ago | (#21795794)

Flashblock doesn't work with Noscript because flashblock requires javascript to be enabled to function (which noscript disables).

Noscript although has all the functionality of flashblock and is an all-around better solution.

Even Lynx had problems, so.... (3, Informative)

gnuman99 (746007) | more than 6 years ago | (#21795872)

You can say the same about Java, Javascript, Ruby, Python, browsers in general. Just revert back to using lynx I guess, but that had a remote hole as well! Actually 2 remove holes,

http://secunia.com/advisories/17372/ [secunia.com]
http://secunia.com/advisories/17216/ [secunia.com]

That is with just a text-only browser.

So, should we go back to using
    echo -e "GET / HTTP/1.1\nHost: slashdot.org\n\n" | netcat slashdot.org 80

Kinda sucks!

Clearly one of the answers is to limit the browser to sub-user access. I think that is what Vista tells us is happening there. Debian doesn't do that by default. But then I'm not sure how easy it would be to limit iceweasel (firefox) to not executable stuff except known plugins, etc...

As for the solution to problems like this, it is clearly the client that needs patching!! A client needs to handle ALL cases without allowing someone to compromise information, etc.

There is a balance between security and usability. You can't have both perfect at the same time.

Re:Even Lynx had problems, so.... (2, Funny)

Tumbleweed (3706) | more than 6 years ago | (#21796174)

So, should we go back to using
        echo -e "GET / HTTP/1.1\nHost: slashdot.org\n\n" | netcat slashdot.org 80

Kinda sucks!


Eff that. Gopher's still going strong!

Re:Block Flash wherever possible (2, Informative)

Ash-Fox (726320) | more than 6 years ago | (#21796944)

On Firefox, there's an extension called Flashblock. It blocks Flash by default, but allows you to re-enable it on a page-wide or applet-by-applet basis. Several other extensions will do the same thing.
Flashblock unfortunately loads the Flash file still as the page is loading momentarily before it 'blocks' it.

It would be nice if Firefox implemented Konqueror's feature of clicking a box to use the plugin. Unfortunately that stuff also breaks flash detection pages (which is why I suspect flashblock permits a small window of time for flash files to load).

Re:Block Flash wherever possible (1)

taviso (566920) | more than 6 years ago | (#21797036)

Interesting that you consider flashblock a security tool (I use flashblock as well, but simply to suppress the onslaught of distracting ads).

If there was a vulnerability discovered in flash player, flashblock would provide little protection, to demonstrate my point, install flashblock and click here [decsystem.org] (harmless testcase). Did flashblock prevent flash player from crashing, or taking down firefox?

(to pre-empt replies, yes i do know about noscript)

"the price to pay" ?? (0, Redundant)

Gothmolly (148874) | more than 6 years ago | (#21795770)

Can we be slightly more trollish ?

Re:"the price to pay" ?? (1)

Faylone (880739) | more than 6 years ago | (#21796270)

Yes. Try browsing at -1.

Re:"the price to pay" ?? (1)

Macthorpe (960048) | more than 6 years ago | (#21796396)

I always do, because I don't trust the Slashdot userbase to mod up comments that I'm interested in.

Different strokes for different folks, I guess.

Re:"the price to pay" ?? (0)

Anonymous Coward | more than 6 years ago | (#21797024)

mod this creep down for fuck's sake

Solution: FlashBlock (0)

Anonymous Coward | more than 6 years ago | (#21795772)

Re:Solution: FlashBlock (2, Informative)

Ash-Fox (726320) | more than 6 years ago | (#21796936)

https://addons.mozilla.org/en-US/firefox/addon/433
Flash files are momentarily still loaded as the page loads before flashblock kicks in.

Permanent workaround (5, Insightful)

noidentity (188756) | more than 6 years ago | (#21795802)

Funny, I've been using a permament workaround since way before these were discovered: don't install Flash. As a bonus, you get notified with a blank screen when vising a website with no useful content, so you don't waste any time trying to figure out how the hell to navigate it.

So you don't want to use YouTube then? (2)

samael (12612) | more than 6 years ago | (#21796890)

Which is just one site that does things in Flash that I certainly _do_ find useful...

Re:So you don't want to use YouTube then? (1)

mconstable (103362) | more than 6 years ago | (#21796950)

I'd rather not but I will as a last resort only if the content is not available elsewhere in downloadable format. I hate inbrowser video regardless whether it was flashed based or not and I remain perplexed as to why most sites and people put up with the crappy flv experience.

Is slashdot evil? (3, Funny)

DAldredge (2353) | more than 6 years ago | (#21795828)

/. delives proprietary flash content to us via a proprietary ad network. Does that make /. evil too?

What...the...fuck (0, Troll)

A beautiful mind (821714) | more than 6 years ago | (#21795834)

The authors have been working since the summer with Adobe, the developer of Flash, and the United States Computer Emergency Readiness Team to coordinate a remedy. But so far there is no estimate when patches may be released. A security update Adobe released this week for its Flash player doesn't fix the vulnerabilities, Stamos said. Adobe representatives didn't reply to emails seeking comment.
This is so irresponsible on so many levels! First of all Apple and their closed binary blob can go to hell with an attitude like this, second those security professionals should have really known better than to sit on a vulnerability like this for 6 months. 6 MONTHS. I can understand a month or two if we're talking about Oracle, but come on! There are always episodes like this to remind me not to use closed source programs.

Re:What...the...fuck (1)

sxtxixtxcxh (757736) | more than 6 years ago | (#21795884)

you forgot the s/Apple/Adobe/g after your copy/paste from your troll file

Re:What...the...fuck (1)

A beautiful mind (821714) | more than 6 years ago | (#21795898)

That was just a simple typo. I have no idea why I wrote Apple. Although I guess I should have previewed.

Re:What...the...fuck (0)

Anonymous Coward | more than 6 years ago | (#21796290)

That was just a simple typo. I have no idea why I wrote Apple.


Because 2008 is officially "The Year We Hate Apple Again."

No no no... (0)

Anonymous Coward | more than 6 years ago | (#21796016)

This is the very definition of "responsible disclosure". Because "responsible disclosure" is defined this way it must be responsible. You aren't going to argue with a definition are you?

Why was the book released before the patch? (1)

DAldredge (2353) | more than 6 years ago | (#21795838)

Why was the book released before the patch? "The vulnerabilities are laid out in the book Hacking Exposed Web 2.0: Web 2.0 Security Secrets and Solutions. It is due to hit store shelves soon, but is already in the hands of many security professionals. The book's authors, who work for penetration testing firm iSEC Partners as well as for Google, say a web search reveals more than 500,000 vulnerable applets on major corporate, government and media sites." "The authors have been working since the summer with Adobe, the developer of Flash, and the United States Computer Emergency Readiness Team to coordinate a remedy. But so far there is no estimate when patches may be released. A security update Adobe released this week for its Flash player doesn't fix the vulnerabilities, Stamos said. Adobe representatives didn't reply to emails seeking comment."

Re:Why was the book released before the patch? (1)

burnin1965 (535071) | more than 6 years ago | (#21796018)

Why was the book released before the patch?

Probably because they have a deadline for their book and it seems you answered your own question in your post with ..."The authors have been working since the summer with Adobe, the developer of Flash, and the United States Computer Emergency Readiness Team to coordinate a remedy. But so far there is no estimate when patches may be released. A security update Adobe released this week for its Flash player doesn't fix the vulnerabilities, Stamos said. Adobe representatives didn't reply to emails seeking comment." I think the question we should be asking is, why is it taking so long for Adobe to address this issue, and why do they not even have a planned date for release of a patch?

Re:Why was the book released before the patch? (5, Informative)

CalTrumpet (98553) | more than 6 years ago | (#21796256)

Howdy... I'm actually one of the contributors to the book. We have been working with Adobe and CERT for a while on this issue, and we felt that as much time as is reasonable had elapsed since the initial reporting. The disclosure of security vulnerabilities is always a complicated ethical issue, and you have to weigh the public's right to know with the possibility that a speedy fix may reduce the overall damage from disclosure. Even with several months of work, "patching" the vulnerabilities is complicated, since the issues exist in the SWF files themselves and not in Flash player, so the only solution is for website owners to re-generate their Flash applets with the updated generators, which should be out shortly.

A more formal vulnerability report is being co-ordinated with CERT and should be out soon with the details of the issues.

this isn't fixing the problem! (1, Offtopic)

wizardforce (1005805) | more than 6 years ago | (#21796362)

"patching" the vulnerabilities is complicated, since the issues exist in the SWF files themselves and not in Flash player, so the only solution is for website owners to re-generate their Flash applets with the updated generators, which should be out shortly.
why exactly is this not considered a problem with the flash player its self if it is executing code it shouldn't be? fixing the swf files themselves doesn't really solve the problem if it is still possible to create malformed swf files which can later be used in attacks because the flash player still handles that malformed code the same as always. right? this vulnerability can still be exploited by those who use the old swf generator to produce malformed swf files that still cause the problem in the flash players themselves.

Can someone explain how this is supposed to work? (1)

Rob Simpson (533360) | more than 6 years ago | (#21795848)

I've RTFA and even the comments, and I still don't understand.

Re:Can someone explain how this is supposed to wor (1)

wizardforce (1005805) | more than 6 years ago | (#21796080)

malicious strings are injected into the legitimate code through a technique known as cross-site scripting, or XSS.
it needs to make use of a cross site scripting vulnerability to inject the code needed to expose the flaw in flash files. If I RTFA right, the flash files themselves don't neccessarily need to contain the code in of themselves but can be made vulnerable with the XSS vulnerability. which I suppose makes sense, XSS vulrerabilities are associated with code injection that can cause some very bad things to happen even without the flash vulrnerability.

Re:Can someone explain how this is supposed to wor (0)

Anonymous Coward | more than 6 years ago | (#21796126)

What I got out of it is that the SWF does need to contain the vulnerability,

"SWF files generated by six of the more popular content development tools automatically contain the bugs, according to the book. Those programs include DreamWeaver, Connect, Breeze - which are sold by Adobe - and TechSmith Camtasia, InfoSoft FusionCharts and software from Autodemo."

And while I do not use any of those things, I would still like to know what exactly this bug is so I can avoid writing it. How about just letting us know if it's AS2, AS3, or both? Or is this more a "Buy my book!" kind of thing than an advisory?

What about flash videos? (1)

whitehatlurker (867714) | more than 6 years ago | (#21795856)

Heise [heise-security.co.uk] points out that youtube FLV files are generated by youtube from other videos, but seems to leave open the possibility that FLV video files could be malicious in their own right on other sites. Clearly player programs could be malicious (or vulnerable) but what about the videos themselves?

Article is vague on the details... (2, Insightful)

Max Threshold (540114) | more than 6 years ago | (#21795858)

Attack scenarios work something like this: A bank website hosts marketing graphics in the form of a vulnerable Flash applet. Attackers who trick a customer into clicking on a malicious link are able to execute the SWF file but inject malicious code variables that cause the customer's authentication cookies or login credentials to be sent to the attacker.

Huh? So this is some kind of phishing attack? Exactly how is Flash involved, and what should we be watching out for? (Other than never entering important data into a form we reached by clicking... always good practice.)

Anything Open Source to replace Flash?? (0)

Zymergy (803632) | more than 6 years ago | (#21795906)

I am not a programmer, but it appears using proprietary closed architectures such as Flash/Shockwave might not be the wisest and most secure solution for an active browser plug-in.
(Or did the inventing source coders/programmers get 86ed following the Adobe acquisition of Macromedia and now Adobe can't put Humpty-Dumpty back together again?)

Are there any GPL'd Open Source browser plug-ins that can preform equivalent functionality to Flash/Shockwave?

Or... are we either left without, or to install .NET v1, v2, v3, v3.5, etc... and then utilize the proprietary Microsoft Silverlight plug-in? (And is it any better, safer, or more trustworthy?) http://www.microsoft.com/silverlight/faq.aspx [microsoft.com]
What of the non-Windows users who can't install ".NET Libraries"?

tubgirL (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21795974)

to b\e abou7 doing Posts on Usenet are

Flash: FAIL: (yes, it's worse than the blink tag) (2, Interesting)

Tragek (772040) | more than 6 years ago | (#21796050)

Flash fails worse than the blink tag. It feels like a system hacked on top of a system of broken systems. It's the single most frustrating "feature" to hit the web since the blink tag. To me, flash can be used in one of three ways, in decreasing amounts of popularity:

1) It provides a mechanism for young impressionable web designers to splatter their so called design spunk all over my screen in one gigantic wank-off-fest. Usually, resulting in pages that are so unusably bad, I can't begin to fathom how they were even passed by a blind retarded monkey, which should have said "FUCK OFF, you dumb twat, get a new pair of eyeballs!'

2) It provides a mechanism for young impressionable web programmers to splatter their so called programming spunk all over my processor in a gigantic waste of cycles, providing a service that's been done before, and done better by other plugins, by other desktop apps, by other non-retards.

3) It provides a mechanism for a few savants to create brilliant web pages, and applications by a minimal, or appropriate application of flash, in a way that is visually appealing, technologically sound, and generally couldn't be done better by something else, popularly available.

I see the first all the time. I'm forced to endure the second often, whenever a "COOL VIDEO" comes from friends, on youtube, and the third, I rarely notice.... because good design with flash fades into the background.

Of course, I'm not going to lie: I'm biased, because flash sucks gigantic testicles on the Mac.

Flash: PASS: (the blink tag was never good) (2, Insightful)

Tumbleweed (3706) | more than 6 years ago | (#21796284)

To me, flash can be used in one of three ways, in decreasing amounts of popularity:

Nice rant, but you seem to fail to realize that the web, and computer software in general, tend to fall in the same sort of categories. That's just the way it is. Don't forget Sturgeon's Revelation, "90 percent of everything is crud." (Though I believe this estimate to be conservative, and certainly the adjective chosen is much more polite than is usually quoted.)

I'd rather have the possibility of having those few brilliant Flash-based sites/RIAs than to NOT have that ability at all. If you don't like the show, change the channel.

In other words, get over it. :)

it's all about advertising (1)

Hannes2000 (1113397) | more than 6 years ago | (#21796892)

Sadly, there are enormous amounts of money being made with these annoying, ugly, blinking Flash websites and layer-ads, (mainly) because of the enormous amount of stupidity of designers and their clients. Unfortunately, blinking ads and websites do work, and they attract way more users (i.e. possible customers) than well-designed and appropriately built sites.

If Flash would be erased, the industry would come up with just another technology to drive sophisticated users nuts. So the only way to deal with this is to gain control over the force of ad-blocking and Flash-blocking contraptions, and if you ever encounter some jerk giving a webapp "more 'boost', a bit of 'zoom' and a little extra 'swoosh'", tell him why everything he's doing is wrong and encourage him to make it better. I'm doing this all the time and I think I may have achieved some progress. There's a better web ahead, and I bet it even can include Flash ;-)

Hey, you forgot to say how! (1)

r00t (33219) | more than 6 years ago | (#21796056)

I need some example code. Uh, for my research.

Re:Hey, you forgot to say how! (1)

BiggerIsBetter (682164) | more than 6 years ago | (#21796888)

I need some example code. Uh, for my research.

It's all in the book. You just have to buy it...

More seriously, I don't care who the authors are, who they are working with, when it was discovered, or when the official patches will be out. I care about disclosure so I can rectify or mitigate the problem, and that's something the "good guys" have not done. So far, I've read a fucking marketing extract, designed to drum up some interest in a little fund-raiser for the boys? *My* computers, networks, servers, and reputation may be vulnerable, but these assholes want paid before they'll tell me about it? Fuck them. Flash just got disabled - everywhere. Why? Because as someone who has had a glimpse into the world of IT security, I'm *sure* the "bad guys" will know all about it by now, without buying the book.

bless the clods... (1)

godawsgo (852260) | more than 6 years ago | (#21796082)


... i'm on an amiga.

Stupidest Example (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#21796092)

Why the hell would you use a SWF for credit card details? Approx 100,000 CC numbers have been phished from this site and it's still live [dwarfurl.com] [toybox.com]

rofl flash sucks (0)

Anonymous Coward | more than 6 years ago | (#21796216)

since i dont use flash. flash sites. or even allow it to ever install. i dont think i will worry too much.

any site that requires flash. has a non-flash equivilant somewhere. screw flash. i don't feel i've missed anything important.

as an added bonus. i havent seen a blinking, moving, annoying sound making flash ad in years.

And now i find me and my data are more secure for not using ever allowing adobes bloated crud to touch my pc. nice. very nice.

Just more X-Site scripting = Relax a little (5, Informative)

Twillerror (536681) | more than 6 years ago | (#21796252)

From what little I can get from the article this seems like just another cross site scripting attack.

Although this can "help" an attacker steal information the end user still has to click a link provided by the attacker that tricks the user into thinking they are on someone elses site and seeing content that site generated.

Cross site scripting attacks are not to laughed off, but they do tend to get over exagerated. When is the last time you clicked on an email link sent to you out of the blue...and then stuck in your user name and password.

People could just as easily fall for attacks like this that don't even change the URL. Not to mention that this has to upload the payload to a server. Meaning you can steal people's information, but it has to go to an IP somewhere. Maybe if law enforcement would get off their behinds and go after this f'ers it wouldn't be such a big issue.

All the anti-flash posts need to get down voted. I could easily say that Jscript sucks because of all the various security issues it has had over the years, but it isn't useful or productive. Flash is what flash is...you don't like it...don't install it and shutup and let the rest of us use it.

Re:Just more X-Site scripting = Relax a little (1)

wjsteele (255130) | more than 6 years ago | (#21796874)

"When is the last time you clicked on an email link sent to you out of the blue...and then stuck in your user name and password."


Therein lies the problem. You assume that it requires you to do that. Simple XSS hacks take you to a page where you login. Advanced (read real) XSS hacks take you to pages where you have already logged in. Say, for example, an e-mail system. They do it using a hidden iFrame, so you never even see it. Then the script can "browse" the site looking for key bits of information and will then pass it on to a malicious site via a hidden post. You will never even be aware that the hack has taken place.

A lot of times hacks like this simply crack open the door to other hacks. But, each one gives the hacker more and more information... closer and closer to the secrets.

Don't underestimate these "simple" type of attacks. They can be and are a lot more dangerous than you think.

Bill

Flash: The Best Among Bads? (2, Insightful)

RAMMS+EIN (578166) | more than 6 years ago | (#21796448)

My feelings about Flash are kind of mixed. On one hand, it's proprietary technology. Specifications have, at some point, been published, but I don't think they are current, and there certainly isn't a full-featured implementation from anyone other than Adobe. This is bad.

On the other hand, looking at what Flash does, and at other technologies that do these things, it seems to me that Flash is clearly technologically superior. I don't know how large the browser plugin is these days, but the one that used to come with Opera used to be very small, and yet provide features that web masters are trying to kludge together with AJAX and whatnot, and for which the W3C has come up with the gargantuan SVG, which has even more elephantine implementations. Flash is the clear winner here.

And then, of course, there is the misuse of Flash for things where Plain Old HTML would be much better. But then again, if Flash were a widely-implemented open standard (rather than a widely-implemented proprietary technology which yet leaves some users in the cold), perhaps such use wouldn't be _mis_use.

So, all in all, I think that Flash would be _great_ if it weren't proprietary...but the fact that it _is_ proprietary is a real obstacle.

Flash != Evil (5, Insightful)

ckorhonen (1207018) | more than 6 years ago | (#21796826)

I really would like to hear details of the 'vulnerability' just so I can begin checking our code and performing an assessment of wether or not this is a credible and realistic threat to the security of our customers.

In the past, many vulnerabilities have been reported on the Flash player, but most of them follow a similar kind of theme - the rogue SWF file must be created with third party authoring tools, and or modified in a hex editor, in order to put the malicious code in there to begin with. In addition, due to the security sandbox and crossdomain restrictions, it needs to be downloaded from your site anyway. So, its perfectly possible for a SWF to wreak havoc on a user's machine, the only caveat is that someone within a company, with access to the web servers and source code, would need to have created it in the first place - something I'm sure is indicative of a larger problem!

Oddly, most non Flash/web developers tend not to see it that way - I have a beautiful MP3 of a conversation I had with one of our 'Security' people who just consistently ranted on about undisclosed vulnerabilities as a reason not to use Flash in a project.

In my years of working with the web and the Flash platform, I have not yet seen a single workable exploit that could present a credible threat to the majority of Flash user's on the web, not without the user or the site already being compromised in some manner.

The only somewhat grey area is where Flash is used for online advertising, but you will find that most of the main publishers out there are aware of this and perform some level of code review on ads before they go live - I work for a bank and we don't run any 3rd party adverts without seeing the sourcecode and decompiling any SWF assets provided.

Really guys, the Flash platform isn't the cloud of evil you are making it out to be. Granted, it has been used for some really annoying things in the past, but used right, it can really help to deliver a friendly, usable and engaging user experience. In addition, in Adobe's hands we have seen it become more open than ever before - Flex, AMF, Tamarin, all released as open source in the past year. I'd be surprised if this trend does not continue.

Re:Flash != Evil (1)

flajann (658201) | more than 6 years ago | (#21797012)

I have mixed feelings about Flash. I think Flash has the potential to deliver amazing content, but so far the use of Flash has been mostly abysmal. 99% of Flash usage seems to be simply for doing eye-catching -- and also CPU-sucking -- advertising. Almost never do I see Flash used to truly enhance the user experience in a way that HTML never could.

On the other hand, having a consistent platform to launch a web application without worry from all the browser differences is a definite plus. But even here Flash has problems as many websites I visit will tell me "You need Flash 8" or "You need Flash 9" to view the content or no dice. Unless the site has something I truly need, I usually don't bother with going through the bother of downloading "the latest". Got no time for that BS.

Back before Flash took over the world from Java, I had the same inane problems with browser JVMs, and was always frustrated I couldn't make use of the latest and greatest features of Java because I couldn't depend on people upgrading their JVMs!

Well, I guess I've been on all sides of the "fence" here. I am toying with the idea of picking up ActionScript someday, as I rather write the code myself rather than rely on 3rd party proprietary tools to generate questionable code for a proprietary platform -- and besides, I can always do far more than those tools will allow me to do, anyway.

Of course, I consider this one particular article on a "potential" XSS exploit to be more hype than substance -- especially since they aren't disclosing the details of the possible vunerability, which is silly since so many need to be informed as to whether there's really a cause for concern or not -- but then, that's the whole idea, right? You can't sell books or other "solutions" unless you can generate lots of FUD. And that, my friends, is the real problem. It's a Memetic Mind Exploit to trick $$$$ out of your wallets!

firefox + noscript... (1)

hitmark (640295) | more than 6 years ago | (#21796906)

condom of the digital age?

flash == esthetic evil (1)

lingoman (793455) | more than 6 years ago | (#21796964)

Aside from security and open-sourcedness, most Flash is just plain ugly.
On Linux, I never installed the plugin. On Mac, I have flashblock [mozdev.org] . And I'm happy.
What am I missing? So much Flash content reminds me of the old popup world
It's the advertisers who are unhappy. Recently CNN has retaliated by refusing to show news video clips because I have flashblock. I never liked suffering through its ads anyway.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?